In many ways, identifying malicious traffic is a lot like looking for a needle in a haystack. Most of the time, 99.9 percent of traffic is genuine. Yet, it is important to go through the entire traffic to identify the .01 percent of traffic that is malicious in nature. A good Managed Detection and Response (MDR) solution does exactly this.
IT security is undoubtedly a highly specialized field that requires specialized technology as well as niche talent with deep subject matter expertise. It can be a bit disconcerting for organizations to expose their data to a third party since there is always the danger of the data getting compromised. Yet, while several organizations may choose to handle it internally, handing the security surveillance over to a third party that specializes in threat detection is often the best option.
The key is to identify the right MDR solution provider who has the expertise and is trustworthy. Here are a few points to keep in mind before you decide:
1. Watertight SLAs
Given that you are handing over your data to a third party for screening, agreeing on a comprehensive SLA is most important. For instance, most of our SLAs with our clients require us to report any suspicious data within 30 minutes, day or night. Instituting stringent penalty clauses that account for any lapses on the part of the solution provider is a great way to ensure that they have their skin in the game.
2. Risk Appetite
As mentioned earlier, the number of malicious logs is usually extremely miniscule. However, the system often throws up a number of false positives, which look malicious, but are not. Taking a stand on these is important because if the MDR flags too many false positives, the effectiveness of the solution is compromised. The IT team cannot possibly devote enough time to evaluate each of the flagged logs. As a result, genuinely malicious content may fly under the radar. Deciding on an optimum approach based on factors such as sensitivity of data is most important.
Each organisation is different and so are its needs. While selecting an MDR solution, ensure that you have the option to customize the solution that you are investing in, so that it meets your unique requirement. Often, Managed Security Service Providers (MSSP) who offer their services through third party products don’t have the option of customizing their solution.
4. Regular Updates
Given that new threats emerge all the time in form of viruses, malware and ransomware, regular upgrades of your security products is absolutely a must. One word of caution is to discuss the cost impact of these updates beforehand, since they can make your budget planning go awry. At SISA, for example, we upgrade products every eight weeks, and the upgrades are done free of cost.
5. Depth of Expertise
Tracking of malicious traffic is one part of the equation. In addition, making sense of the data in terms of its origin, intent etc. is key to preventing future attacks. Therefore, while selecting an MDR solutions vendor, expertise in all aspects of security is an important factor to consider. For instance, does the vendor have a forensics team in place to analyse the malicious data? These capabilities make a huge difference.
A good MDR solutions provider plays an important role in ensuring security of an organization’s data. But being savvy about choosing the right one is important.